We rely heavily on our smartphones for various aspects of our lives and expect them to be secure and protected against any threats. Although monthly security updates help protect our data, users of Google Pixel or Samsung phones should be cautious. Recently, Google's bug-hunting team, Project Zero, discovered eighteen security vulnerabilities affecting Exynos modems that, when combined, could give attackers complete control of a smartphone without the user's knowledge.
Among the eighteen vulnerabilities identified, four are considered the most critical, enabling remote code execution using only the victim's phone number. Although only one of the most severe vulnerabilities has a publicly assigned CVE number, Google has not disclosed the others associated with this bug.
Mobile devices from Samsung, Vivo, Google's Pixel 6 and Pixel 7 series, and vehicles using the Exynos Auto T5123 chipset are affected. The March security update has addressed this issue for Pixel 7 series devices. However, Pixel 6 series devices do not yet have the update, so users of unpatched devices should disable VoLTE and Wi-Fi Calling. According to Tim Willis, Project Zero's head, skilled attackers could use limited research and development to create an operational exploit to compromise affected devices silently and remotely. This means that a user's device could be compromised without their knowledge, and some attackers might find it relatively easy to exploit.
Regarding CVE-2023-24033, the significant exploit we have information on, affected baseband modem chipsets fail to check format types specified by the Session Description Protocol (SDP) module, resulting in a denial of service. In this context, a denial of service usually means that an attacker can remotely lock the user's phone, rendering it unusable.
The other fourteen vulnerabilities aren't as critical but still pose a risk to the end-user, requiring either a malicious mobile network operator or an attacker with local access to the device for successful exploitation.
For users of affected devices awaiting an update, disabling VoLTE and Wi-Fi Calling is recommended. For those with the March security update available, it's crucial to update their device to mitigate these security vulnerabilities.